Hacker in Snowflake extortions may be a U.S. soldier

349 points by todsacerdoti 8 days ago | 193 comments

antihero 8 days ago |
Couldn't literally all of this just be a bunch of misdirection?
mikeyouse 8 days ago |
In theory, sure, in reality it's almost always much more benign and they have terrible Opsec over time that allows people to piece together their identity. Especially if they reuse usernames across services.
JohnMakin 8 days ago |
It's always crappy opsec that gets people otherwise very savvy.
raffraffraff 8 days ago |
Kinda like how the big mastermind criminals like Capone get away with murder and racketeering but get fucked on tax evasion.
Reading this guy's posts, his ego is the biggest issue, and it will be his downfall. The "I literally can't get caught" mentality inevitably leads to carelessness and blabbermouthing.
kortilla 7 days ago |
That’s a little different. It wasn’t that Capone couldn’t handle taxes, it was that until that point nobody used it as a serious mechanism to take town criminals. It was only validated as a good approach by the Supreme Court a few years before. In fact, one of the primary pieces of evidence of his tax evasion were from communications from his lawyer about how much tax to pay to make his tax history legit in light of the recent effectiveness of tax convictions.
Now major criminals launder money to avoid that.
brcmthrowaway 7 days ago |
It appears the government at times invents laws so they can go after criminal gangs (see RICO)
bitnasty 7 days ago |
Maybe he “can’t get caught” because he is state-sanctioned.
duxup 8 days ago |
I feel like leaving a bunch of misdirection would also risk potentially just leave real traces behind that in some ways.
At least in my mind leaving some false trails behind, when I run through scenarios, seems like it could leave actual trails / to the point of not being worth the extra risk.
brookst 8 days ago |
Yeah. If you have a choice of giving an adversary no information or false information, no information seems safer. The choice of false information is information. Same way that people are terrible at picking random numbers and fraudsters are often caught because they avoid round numbers.
antihero 7 days ago |
It would make sense if doing something illegal to do the former, but also leave "slip ups" that are complete red herrings, create trails to people that seem like opsec fails but are actually just framing others, etc.
All about plausible deniability. Layers and layers and layers of dead ends that seem real.
In this way, if you do actually slip up, it becomes near impossible to distinguish the real slip-ups with the orchestrated ones.
brookst 7 days ago |
The problem is that false “slip ups” provide information. Sure, you waste investigator’s time, but once they rule out the false lead they have a bunch of information:
- if the false slip-up used only public information about, you likely don’t have access to confidential information about that space. If it used confidential information, you do.
- The geography and demographics of the false lead are probably not near-misses. The point of misdirection is to misdirect, so you likely won’t frame a coworker that will bring investigators to your own door.
- Any mistakes in the false slip-up, from spelling to factual to timing, may reveal info.
IMO this is a “too clever by half” scenario: leaving any trace at all is information. Leaving none is wiser.
Example: you’re a master hacker. You’re going to repeatedly access a compromised system. Is it better to set an alarm for 3am each time to suggest you’re in a different time zone, or to use a RNG to close an alarm time?
I say the RNG is better. Using 3am gives psychographics. Random isn’t clear if there’s any planning at all, or if you travel, etc.
alsetmusic 8 days ago |
> Kiberphant0m denied being in the U.S. Army or ever being in South Korea, and said all of that was a lengthy ruse designed to create a fictitious persona.
>
> “Epic opsec troll,” they claimed.
If this were really a fictitious persona meant to lead investigators away from their true identity, they'd never admit to such. This sounds like someone trying to deflect upon being found out. I'd wager that this person is going to be caught.
Krebs has an image of a mind-map at the end of the article showing links between the aliases.
rudolph9 8 days ago |
Or it’s part of the troll.
uoaei 8 days ago |
Bothsidesism has crept into ... US counterintel agitprop?
horeszko 8 days ago |
> Kiberphant0m denied being in the U.S. Army or ever being in South Korea, and said all of that was a lengthy ruse designed to create a fictitious persona. “Epic opsec troll,” they claimed.
This is called a "double cover story", a classic deflection when someone is caught or exposed.
asimjalis 8 days ago |
It could be a triple cover story. The faked double cover story is meant to deflect.
tedunangst 8 days ago |
Maybe even skipping the quadruple cover story and going straight to the quintuple. A true pro.
function_seven 8 days ago |
I always play the (2n+1) game myself. (Or do I??)
the_af 7 days ago |
That's what they... er, you... er, somebody wants you to think?
formerly_proven 7 days ago |
That’s my secret… I never think.
banku_brougham 7 days ago |
2n for me, probably
User23 7 days ago |
Better than the 3n+1 game[1]. That one can really get you.
[1] https://www.quantamagazine.org/why-mathematicians-still-cant...
_carbyau_ 8 days ago |
"Fuck everything, we're doing five covers." ... "Put another misdirect on that fucker, too."
Mtinie 7 days ago |
That reminds me of the escalating “trace buster” scene in “The Big Hit.”
https://youtu.be/2VY_xxL2jL0?si=9hf6ibvtHFCGuCNL
pnut 7 days ago |
Context https://theonion.com/fuck-everything-were-doing-five-blades-...
labster 8 days ago |
Good luck, I’m behind seven cover stories
blitzar 7 days ago |
Gotta pump those numbers up. Those are rookie numbers in this racket. I myself, I have fourteen cover stories with an infinite loop at number 10 that directs you back to 4.
oefnak 7 days ago |
Where do you use 11-14 for?
Mtinie 7 days ago |
Higher dimensional investigations.
avn2109 7 days ago |
Plot twist, I'm actually undercover as you.
the_af 7 days ago |
I know linking to videos on a tangent joke is frowned upon here, but I'll risk the downvotes for a worthy cause:
You really need to watch this Key & Peele & Rocket Jump colaboration: https://www.youtube.com/watch?v=IHQr0HCIN2w
Actually, since I'm actually undercover as you, and I've already watched it...
edzillion 7 days ago |
I know comments commending the previous post are also frowned upon but that is one of the funniest sketches I've ever seen. Hilarity ad absurdum
PittleyDunkin 8 days ago |
Eh; let's wait and see. For any claim for insight there's an equivalent claim for fabrication. any such analysis that relies on this is inherently flimsy.
johndhi 8 days ago |
It also seems like a bad opsec if he creates multiple aliases for the same theme. Wouldn't you want to have one us soldier, one Russian, one African, etc. if you are trying to create red herrings?
XorNot 8 days ago |
Even the soldier persona is consistent though. The trouble with opsec like this is (1) you always have to win and (2) almost everything - even total randomness tends to create a pattern (since you the negative space of trying not to stand out itself tends to make you stand out).
asimjalis 8 days ago |
Maybe he is operating at the next level. He is deflecting because the investigators will think that he is trying to lead them away from this true identity and become even more convinced of it, which is exactly what he wants.
CoastalCoder 8 days ago |
Truly next level would be for him to be one of the investigators.
chefandy 8 days ago |
But little did he know the other instigators were investigating him… or so they thought…
Tepix 7 days ago |
Let's skip of this step and go the next: It's a rogue AI.
dookahku 8 days ago |
> This sounds like someone trying to deflect upon being found out. I'd wager that this person is going to be caught.
that's what a super epic opsec troll would want you to think
Terr_ 8 days ago |
"You fell victim to one of the classic blunders! The most famous is 'never get involved in a(nother) land-war in Asia', but only slightly less well-known is this: Never go up against a once-Korean-resident when death is on the line! Aha-haha-hahaha!"
https://www.youtube.com/watch?v=pRJ8CrTSSR0
gostsamo 8 days ago |
Let's just not believe anything said by an untrustworthy person. What they say should not calculate in what we believe to be true, but only evidence we can verify.
skybrian 8 days ago |
Well yes, but I doubt that Krebs is really posting this data dump for random Internet readers like us. Some other investigator might find some useful hints in it, though.
Y_Y 7 days ago |
I respectively disagree. If someone is shown to be unreliable then of course you won't take what they say at face value, but there's still information there. A deliberate lie may still contain something useful and reveal something about the person.
In fact assuming someone to be truthful isn't a good prior, knowing that they may be "untrustworthy" doesn't tell me much, since I didn't start off thinking otherwise.
gostsamo 7 days ago |
You can analyze a lie only if you know that the speaker is trying to convince you into performing an action. Binary statements about facts cannot be judged without knowing the truth. They could be used only for self-analysis of the analyzer and maybe if you want to exercise some tail chasing.
Watch The Princess Bride and you will find a wonderful scene about choosing the right cup there.
laborcontract 7 days ago |
von Neumann proved that you can extract fair results from a biased coin without knowing the bias. No truth needed.
While it doesn’t really apply to this situation, it’s all to say that i disagree with you saying there’s only information in the truth.. There’s information in everything.
red-iron-pine 7 days ago |
but then we're not "trusting" what they're saying, just analyzing a statement for unintentional or partial truths. the assumption is not one of credibility. everything this person is doing is dubious as hell. this means every statement or action must be analyzed with the assumption is bunk, and then you pick out possible truths.
the picture of the army gear, for example, consists of gear that could be purchased at any surplus store. I'm not in the US but I could easy acquire that, and I know enough about exif data to be able to alter an image to use GPS coordinates at a US Army barracks in SK.
meanwhile if they were showing a picture of them sitting with, say, a 240B MG, or something that actually proves they're in the US Army I might believe them.
while bartending back in the day I used to have a coworker who, after a few drinks one night, eventually confessed she was a camgirl for a while. she went by April, who was really Stefani -- nether of which were her real names, but were just layers to keep stalkers off of her back. she had friends on the other side of the country take pictures of their dorm to help further the story. I totally believe a serious cracker would take similar precautions; OPSEC on OPSEC
Y_Y 7 days ago |
I agree and liked your comment. I just want to add that I was specifically disagreeing with this:
> What they say should not calculate in what we believe to be true
rather than thinking about definitions of trust.
mnky9800n 6 days ago |
a deliberate lie tells you something that is not true or only half true which is often as interesting as what is true. especially when you don’t know the truth.
sourcepluck 7 days ago |
I can't help myself: is this the famous logic by which tech people don't trust apple, microsoft, amazon, meta, or google products?
Or does it not apply to corporations? What's the distinction, if so? It certainly seems common to not to apply it to corporations.
Not sniping here, I actually think this is solid logic, maybe with some exceptions but generally applicable. I feel like it's so commonly and happily not applied when it comes to the above companies (and others) that I find it stunning to see it stated so clearly here.
cherryteastain 7 days ago |
We already have direct evidence through Snowden leaks that US big tech corps are US intelligence assets.
gostsamo 7 days ago |
This FAANG stuff is coming a bit from left field here. I have my thoughts on their involvement with the US government, but I cannot testify if those thoughts are the same for any other tech person on this platform. Lots of other stuff to say, but generally, I tend to apply the same mental tools to everyone. You should ask everyone else for their opinions individually though.
Y_Y 7 days ago |
Personally my prior is that companies are always trying to manipulate you, and people only sometimes. On the other hand it can be easier to get away with false statements when you don't have a large audience and deep pockets.
leptons 7 days ago |
Well it certainly doesn't apply to politics, 70+ million people believed every lie their cult leader told them (and it was a lot of lies).
kgeist 8 days ago |
Interestingly, Kiber- is how a Russian would transliterate "Cyber-". At first I thought he must be Russian, by the nickname alone (I'm a Russian speaker).
ANewFormation 8 days ago |
Something I don't understand is why people don't appreciate /expect misdirection.
For instance, a malicious actor, of even basic sophistication, coming from a Russian ip and occasionally using Cyrillic and missing grammatic artcles is probably not Russian. Similarly a malcious actor with a pseudonym including the term patriot, coming from a US IP and using terms like howdy probably is not American.
False attribution is a core lesson in malice 101.
andrewflnr 8 days ago |
There's a case to be made for expecting misdirection more often, but the fact remains that most people, including malicious actors, don't have the foresight and skill to pull it off. You do need both. Unless you plan a consistent fake story from the very start of an identity, execute it consistently, and hermetically isolate it from any others, you'll leave clues.
ykonstant 7 days ago |
Spot on, chap.
johnnyanmac 7 days ago |
Not that it's necessarily the case here, but you'd be surprised how many grand capers were only busted because the actor made an embarrassingly dumb mistake in leaving some obvious trail.
It's not unheard of to apply some occam's razor just in case while keeping misdirection in mind. Even masterminds aren't perfectly rational actors that cross all their t's.
rightbyte 7 days ago |
Doubly so since warmongerers will defend your persona and corparations will use the persona as a politically palatable scapegoat.
strken 7 days ago |
You need actual evidence to make claims like this and be believed. "Possibly not Russian/American" is self-evident due to how easy misdirection is, but "probably not Russian/American" is a matter of probability for which you've presented no meaningful data or argument.
close04 7 days ago |
> False attribution is a core lesson in malice 101
I was always surprised to see security researchers confidently attributing some attack to a specific group based on easily falsifiable things like localization, alphabet, time zone, coding "style", specific targets, etc.
Even if researchers can undeniably link one attack to a certain group (like when they publicly take responsibility) and can label their style accordingly, all those indicators become at least semi-public. If the researchers have access to them, so do other other actors who are free to fake or imitate them. The confidence is probably more for the media reporting.
lupusreal 7 days ago |
If your company just got pwned, you'll probably be thankful to have an excuse to tell your investors that it was a Russian/etc "state actor" and therefore they should feel sympathy for you being the victim of a foe that far outclasses your assuredly reasonable and competent security measures.
Looks a lot better than getting pwned by some jackass American teenager. So if the attack came from a Russian IP, or used some Cyrillic characters or something like that, there's a "face saving" incentive to take that probable misdirection at face value.
pphysch 7 days ago |
This is right. So many incentives are stacked in favor of making false attributions, specifically to enemy state actors:
- real attacker doesn't want to get caught
- victim doesn't want to admit being pwned by a script kiddy or petty criminal
- military-industrial complex needs foreign threat inflation to stay in business
- media loves the intrigue
The pushback would come from the foreign state being falsely slandered, but they never get a say anyways.
ANewFormation 7 days ago |
solarwinds123
red-iron-pine 7 days ago |
Attribution is hard, and is a critical part of Threat Analysis.
I generally agree with the quip about American patriot actors, mostly.
RicoElectrico 7 days ago |
Forget about grammar. Eyless emoticons are the best predictor)))
boohoo123 7 days ago |
yea but 2 years prior he used the handle cyberphantom. So the switch is most likely him trying to throw people off.
ARandomerDude 7 days ago |
I’m guessing any American military member in the Intel or Cyber business would know that these days though.
Years ago when I was in the US military I knew many Russian weapons systems better than their US/NATO counterparts and had developed a decent working vocabulary of Russian words and prefixes in that specific area because it was my job to study Russian equipment.
mnky9800n 6 days ago |
as an aside, i find that western people, even many hacker news denizens, are unaware that ru-net exists much less that it has its own language, memes, technology, etc.
hilbert42 8 days ago |
Right, there's something odd about this. That image from 2022 of a person's legs [Kiberphant0m?] in army fatigues ought to be a dead giveaway. For starters why would anyone be stupid enough to do that, second I'd recon the floor pattern alone might be enough to reveal the person, again why do that? Surely those involved would have have thought of that? Alternately they're on the room-temperature side of dumb.
Of course, that doesn't include the image being a ruse for other schema.
bayindirh 7 days ago |
> Alternately they're on the room-temperature side of dumb.
When combined with the uses the claimed for their botnet, the person we're talking about leaves an impression of having emotional maturity of a 10 year old.
So, you might not be very far when it comes to non-technical skills.
scotty79 7 days ago |
> leaves an impression of having emotional maturity of a 10 year old
That fits well with the position of US president or the currently richest person on Earth.
hilbert42 7 days ago |
I dare not comment, the thread would be deleted. ;-)
krisoft 7 days ago |
> why would anyone be stupid enough to do that
To prove their "credentials" that they are a real world "though guy", in the hopes of gaining social clout in among their peers.
Same reason why some posts classified information on Discord or War Thunder.
seanhunter 7 days ago |
Yes. I'm pretty sure if you spoke to an intelligence analyst they would tell you there's no such thing as an opsec troll.
Everything your target does (including misdirection) gives or risks giving away information, and there's no way someone who is actually in control of events would blow a cover because even if you were 99% certain it was false, you would have to continually waste resources trying to confirm that. In particular if they invested a lot in building this persona and you were on to them it's much more likely they would just go dark, wait and plan how to pick up with a new persona.
InDubioProRubio 7 days ago |
There are robots for everything social now- including manufacturing personas.
datadrivenangel 7 days ago |
It's not about the volume of manufactured personas, it's about the tool-marks that can be analyzed.
Oarch 7 days ago |
You'll never catch me!
gregw2 8 days ago |
Any insight based on histogram of the timing of this person's posts, particularly ones responding to a just slightly earlier post? (ie was clearly awake and not an artificially-delayed response).
Krebs knows about this timezone analysis technique, wonder if he didn't check this or it was inconclusive?
t-3 8 days ago |
Is that effective for people who aren't literally being paid a salary to do this stuff 9-5? A lot of people who spend too much time on computers have totally out of wack sleep schedules that would look like they're operating from very different timezones.
alwayslikethis 8 days ago |
You can also schedule your posts, commits, etc to go out at some fixed hours each day.
sundarurfriend 8 days ago |
You can, but a lot of these pattern analyses work out because people get sloppy and overconfident over time, and don't use these measures even if their lives are on the line.
aaron695 7 days ago |
Police raids in long sieges happen ~ 3:30-4:30am
People have wacky schedules but it's about when you never work
You could do an analysis on HN comments.
It's very hard to fake, you'd have to schedule on all channels. For instance don't look at all of a users HN comment's just ones posted less than a hour after it was on the front page.
I always set the time zone on my PC to a fake one. It cause's havoc sometimes and it's not even close to enough. It's hard once someone is after you.
duxup 8 days ago |
>‘BUTTHOLIO’
These guys always seem to have the most stereotypical or corny hacker handles. Is that expected / desirable in that community?
taspeotis 8 days ago |
I believe the hacker known as 4chan once explained they choose their handles “for the lulz”
Apocryphon 8 days ago |
Legion of Doom / Masters of Deception would like a word.
tedunangst 8 days ago |
Phiber Optik just doesn't have the same haha you said peepee vibe.
Apocryphon 8 days ago |
I do think it’s funny how that might be a character revealing moment, suggesting the hacker is Gen X or at least elder millennial age.
A4ET8a8uTh0 8 days ago |
I did toy with the idea of trying do analysis of HN aliases and keywords. It never went anywhere, because I forgot about it, but a longer weekend is coming:D But yeah, language betrays, who we are in references alone.
gopher_space 8 days ago |
There's no way you could determine how old a person is or what technologies they enjoyed way back in college solely from a username.
willvarfar 8 days ago |
Are you just trying to goad them into showing they can? :D
kasey_junk 7 days ago |
-gopher- space made the comment you are replying to.
oefrha 8 days ago |
Have fun analyzing the alias I pulled from /dev/urandom!
imp0cat 8 days ago |
Knows of the existence of /dev/urandom, must be old! ;)
aaronbrethorst 8 days ago |
corny
I see what you did there.
heromal 8 days ago |
Yes
juunpp 8 days ago |
The real question is: who calls their company "Snowflake"? It's just crying to get stomped on.
Der_Einzige 8 days ago |
Snowflake did the biggest epic fail of the ZIRP era. They bought streamlit (a python GUI front end for ML demos) for 800 MILLION dollars.
https://techcrunch.com/2022/03/02/snowflake-acquires-streaml...
Huggingface bought its biggest competitor, Gradio (still used more than Streamlit) for an "undisclosed" amount of money a year or so before hand. I'd wager HF paid on the orders of 1-5 million.
bagels 8 days ago |
That is amazing! What a coup. I thought streamlit was pretty cool, but surely it wasn't $800m cool.
rawgabbit 8 days ago |
Salesforce purchased Mulesoft for $6.5 billion. Mulesoft was so successful they decided to buy a different ETL tool Informatica. But the deal fell through. Mulesoft has about 1500 clients vs 9500 clients for Informatica.
rajamaka 8 days ago |
Comparing a disclosed sale price to an unknown theoretical sale price is a bit unfair though. Maybe it was 801 million.
Der_Einzige 8 days ago |
No way, HF didn't have anywhere near that kind of money when they acquired Gradio. I think they did it back in 2020 or 2019. I know for a fact it was a tiny sum.
wodenokoto 8 days ago |
I doubt Gradio is used more than streamlit. And so does Google [1]
I know that's not exact, but if more people used Gradio, you'd expect at least a somewhat similar number of people searching for it online. Gradio is not even in the same ballpark as Streamlit here.
[1] https://trends.google.com/trends/explore?date=now%201-d&q=%2...
Der_Einzige 8 days ago |
I don't know what to say except that the overwhelming majority of HF spaces are made as Gradio demos and that gradio's whole design makes it far easier to do async things unrelated to reloading the webpage - which is a huge thing for ML/AI demos.
I don't claim you're wrong, but I claim that gradio is far more effectively profitable to know than streamlit is - i.e. Gradio demos are used far more for a top AI paper demo (i.e. NeurIPS system demos) than Streamlit is.
mulmen 8 days ago |
Snowflake is a type of multidimensional schema. It's a normalized star schema. Both named for the appearance of their entity relationship diagrams.
chatmasta 7 days ago |
Snowflake schema is obviously the etymology, but the official story is that the founders “really like skiing.” It’s always aggravated me. I just assume the CEO told them to go with that instead.
internet101010 8 days ago |
Give them a break. They need tp.
ethbr1 8 days ago |
Why would they need tp?
mikeyouse 8 days ago |
The bungholio name is a reference to the bevis and butthead name where they’d say, “I am cornholio, I need TP for my bunghole”. You really had to be there.
https://m.youtube.com/watch?v=LHv2dIM3t9I
ethbr1 7 days ago |
Oh, I was there. heeheeBUNGholeheehee
BeFlatXIII 7 days ago |
The unregistered hyper cam 2 banner ties the whole compilation together.
red-iron-pine 7 days ago |
ಠ_ಠ
edit: okay fine I'll bite -- because of chicken piccata
ChumpGPT 8 days ago |
Seems like the guy has been fucking around for a while. No wonder none of our allies want to share intelligence or plans with us. The US Military is a liability when it comes to keeping shit secret, they leak like a sieve. They need to get a handle on this shit, who knows what this guy has given to the Russians or Chinese.
6510 8 days ago |
"pay-to-play"
excalibur 8 days ago |
> Immediately after Kiberphant0m logged on to the Dstat channel, another user wrote “hi buttholio,” to which Kiberphant0m replied with an affirmative greeting “wsg,” or “what’s good.”
It's kind of unfortunate for him that he didn't do a better job of referencing Beavis and Butthead. If his username was "Cornholio" or even "Bungholio", it could read as someone directly referencing the show and potentially unrelated to the other account, making his deniability a bit more plausible.
boomskats 7 days ago |
A true opsec troll is saving those references for the final standoff, for when they start really threatening him.
red-iron-pine 7 days ago |
yeah that's 3 or 4 layers in. until then convince them you're Iranian and Chinese first
kordlessagain 7 days ago |
They have gone from "I literally can't get caught" to "Oh no, everyone on Hacker News is discussing my l33t hacker identity... checks notes ...Buttholio. Perhaps I should have workshopped that name a bit more."
fnord77 8 days ago |
Being a high-stakes criminal is too difficult. One slip-up and you're compromised. There's a million opportunities for slip ups and there's a million opportunities for investigators to get lucky.
alwayslikethis 8 days ago |
True, but you only hear about the ones who slipped up. I wonder what is the actual proportion of criminals being caught due to poor opsec.
brookst 8 days ago |
To turn it around: what percentage of people are capable of perfect opsec forever?
flextheruler 7 days ago |
For internet crimes? Almost none in perpetuity. I’d think you’d need to go off the grid totally for a few years and come back without any reference to a prior life. For physical crime, my gut says quite a few people have avoided identification for decades until they were essentially caught by turning themselves in. Ted Kaczynski comes to mind, but there must be a few others.
Perfect OPSEC to me, means near total isolation from socialization. Not something most people are capable of.
If you’re a professional criminal of any kind you weigh the risks knowing that perfection is impossible. The government is a business with a monopoly on violence. The goal is to keep their ROI for catching you as low as possible. Every single man hour spent finding you is costing money and there’s a man upstairs who wants to see some results that reflect the money spent.
Once you understand that premise, it’s easy to understand the why and how criminals are caught. The ones who are caught are always the ones who don’t know when to fold. Always the ones not to cash in and retire.
The ones who get away with it, they fold they retire and society forgets about them and the ROI drops precipitously on catching them. Research statistics on cold cases.
ethbr1 8 days ago |
There's a line at the beginning of Ocean's 11 to the effect of "the house always wins in the long run... unless you bet it all on a great hand, win, and then walk away."
mxuribe 7 days ago |
> ...and then walk away.
I think that's the key right there! ;-)
juunpp 8 days ago |
I guess we'll soon find out how well the NSA normalizes its databases. Bring on that schema, folks.
teractiveodular 8 days ago |
> “Type ‘kiberphant0m’ on google with the quotes,” Buttholio told another user. “I’ll wait. Go ahead. Over 50 articles. 15+ telecoms breached. I got the IMSI number to every single person that’s ever registered in Verizon, Tmobile, ATNT and Verifone.”
SBF levels of self-pwning right there. When, not if, they catch him, the Feds are going to hang this clown out to dry.
tgsovlerkhgsel 8 days ago |
I'd rather see them hang out to dry the 15+ telecoms who gave away "the IMSI number to every single person that's ever registered in..." because doing so was cheaper than investing in security.
atoav 8 days ago |
The only data you can't leak is the data you don't have.
Therefore some data should either not be stored at all or deleted after it served its purpose.
dfedbeef 8 days ago |
Probably hard for a telecom company to not keep IMSI -> account association somewhere
mschuster91 7 days ago |
Yeah, in separate databases on separate systems. The network plane of a phone provider should only be able to access a database mapping IMSI -> account ID, and the billing/customer service department should only be able to access a database mapping account ID -> actual account data.
Unfortunately, anything involving phones is based on literally decades of stuff that was made in a time where every participant in the network was trusted by default, and bringing up the legacy compatibility stuff to modern standards is all but impossible.
kube-system 7 days ago |
> decades
ss7 was developed almost a half-century ago, wasn't it?
red-iron-pine 7 days ago |
randomized IDs and linked lists, which correspond to entries in DBs elsewhere.
IMEI 123456789 has ID sjkadnasf8uywjerhsdu, and then in the hyper locked down Mongo instance used by billing knows that sjkadnasf8uywjerhsdu relates to John Smith, credit card number xxxx xxxx xxxx xxxx
make it so you have to crack all of em, instead of just nailing one and walking out w/ all the crown jewels
nkrisc 7 days ago |
Why not both?
benreesman 7 days ago |
Anthropic levels of getting seed funding from SBF and ending up a power unto themselves.
markus_zhang 8 days ago |
My two cents:
- The "hacker" (I'm reluctant to use this term" seems to be too high profile for some reasons;
- We should discard Telegram
shdh 8 days ago |
What does "discarding" Telegram mean?
markus_zhang 8 days ago |
We should not use Telegram -- sort of. I wonder whether Signal is better.
xvector 8 days ago |
Signal is absolutely better. Telegram is e2ee in name only
autoexec 7 days ago |
Not recommending Telegram, but personally, I suspect that signal is compromised. They've been permanently storing sensitive user data in the cloud for a long time time (https://community.signalusers.org/t/proper-secure-value-secu...) but the very first sentence of their Terms and Privacy page still claims "Signal is designed to never collect or store any sensitive information." and they've been asked multiple times but refuse to update their privacy policy. I suspect that lie is being kept there as a giant dead canary.
Making the change to start keeping exactly the data that the government has been asking them to turn over isn't a very good look. "Securing" user's data with something as week as a PIN isn't great either. https://www.vice.com/en/article/pkyzek/signal-new-pin-featur... Note that the "solution" of disabling pins mentioned at the end of the article was later shown to not prevent the collection and storage of sensitive user data. It was just giving users a false sense of security. To this day there is no way to opt out of the data collection.
xvector 7 days ago |
Oh wow. Yeah. This changes my opinion on Signal.
Why the fuck did they make such terrible insecure defaults for backups? IMO they should not even be doing backups at all by default, what the fuck.
wffurr 8 days ago |
Not sure Signal would have made a difference for this criminal. All the data on them I saw in the article was likely captured by someone in the channel / group message.
It’s just plain poor opsec, but I kind of expect that from someone with poor enough judgement to be a criminal.
71bw 7 days ago |
>We should not use Telegram
But why? There is no better platform for private and small chats.
JTyQZSnP3cQGa8B 7 days ago |
Telegram is not E2E encrypted by default, and even if it changed, I wouldn't trust them. It's not private.
assanineass 8 days ago |
They already arrested them right?
sans_souse 8 days ago |
No they arrested two others.
IAmGraydon 8 days ago |
This seems like it would be rather easy for the government to narrow down. Check the logs of who applied for an NSA job on or around the date the screenshot was posted and cross reference any that are/were located in South Korea. I would think that would produce a rather short list that a bit more investigation would crack.
The guy seems arrogant, and arrogant = sloppy. He'll get caught.
readyplayernull 8 days ago |
He knows he's about to get caught, reason why he hurried to knock NSA's door. They might let him in after all.
lukan 7 days ago |
But probably after they arrested him, to help with negotiations.
And to pop that bubble of false confidence.
The way he acted, would be a very red flag for me, if I were to hire him. Maybe skillfull, but careless. And that is not acceptable in that line of work. (Neither it is in the military)
ilaksh 8 days ago |
You might be able to get a rough show size and height/weight range from that photo.
lph 7 days ago |
I wonder how unique those floor tile patterns are? If that's taken on a military base in Korea, it might be possible to find the exact location of the photo.
hn_user82179 8 days ago |
what a great article, I loved seeing the links that Krebs (?)/Unit 221B (?) dug up and all the info they managed to connect. It felt like I was reading a detective story. It sounds like this guy is doomed, the NSA application date alone basically identifies him
Tepix 7 days ago |
If you have enough data, i wonder how much of this digging can be automated these days with good LLM prompts. Doing it manually is very time-consuming.
jamestimmins 7 days ago |
I think this whenever I read a modern detective novel (Bosch). So much of their work seems to be looking up data from different databases and trying to make connections or recognize patterns.
I assume the FBI or whomever has automated this to some degree already, and I really hope someone does a great writeup of how LLMs/agents can do even more.
CharlieDigital 7 days ago |
The real work doesn't happen in the LLM.
Having worked with LLMs over the past year+ trying to get them to do useful things in various contexts, the real work is typically pretty boring data acquisition (e.g. scraping) + ETL and then making that data available to the LLM.
polyvisual 7 days ago |
221B is 221B Baker Street, where Sherlock Holmes lived.
benreesman 7 days ago |
Jesus. Let’s tick another box on our late capitalism bingo card: our soldiers are so desperate for cash and so cynical around institutions that they’ve started doing mercenary crime.
I can’t be the only person who has read of such situations throughout history.
kortilla 7 days ago |
What does this have to do with late capitalism? This has happened all throughout history and you just said you read about it yourself
benreesman 7 days ago |
The root of all failure at the level of the society is the fungibility of inherited wealth into political power, which rapidly gets deployed to impoverish everyone else including soldiers, and on its way it tramples institutions once revered.
laborcontract 7 days ago |
they could have just had an alcoholic parent.
benreesman 7 days ago |
I’m a pretty easy going guy in general but others might take offense.
causal 7 days ago |
> The root of all failure at the level of the society is ...
Or maybe the real root is our tendency to fixate on simplistic reductions.
542354234235 5 days ago |
Soldiers have a guaranteed paycheck, food, and housing, are not "at will" and can't be fired without cause and a formal process, and have "free" healthcare. It is one of the most socialist jobs you can have in the United States.
Simon_ORourke 7 days ago |
Doesn't that just mean they won't ever to subject to prosecution by the International Criminal Court?
paganel 7 days ago |
This Krebs guy is a doxxer through and through, I wouldn't take anything that he writes down as being serious. If he thinks he knows something and he has palpable proof for it then he should contact the relevant authorities.
richbell 7 days ago |
> This Krebs guy is a doxxer through and through, I wouldn't take anything that he writes down as being serious.
Can you explain your definition of "doxxing" and why you believe that means nothing he writes is serious?
paganel 7 days ago |
> Can you explain your definition of "doxxing"
Revealing people names and addresses and implying that they have done something illegal, while the person doing that (this Krebs guy) does not represent the Law/the relevant authorities. See the Boston bombings debacle on this very website.
> why you believe that means nothing he writes is serious?
See the Boston bombings debacle on this very website.
richbell 7 days ago |
> See the Boston bombings debacle on this very website.
I'm familiar. I don't see the relevance considering that the linked article does not reveal anyone's names or addresses.
paganel 7 days ago |
He did that in the past.
richbell 7 days ago |
Falsely?
mtlynch 7 days ago |
I'm overall a fan of Krebs' work, but he has done some questionable things to reveal people's identities that feel more like immature spite, sometimes outside the context of any crime he's accusing the person of committing:
https://itwire.com/business-it-news/security/86867-infosec-r...
richbell 7 days ago |
Thanks for sharing context. That definitely reflects poorly on him and hurts his credibility.
When I read "an investigative journalist is publishing information alleging criminal activity" my reaction was "so what?" What you linked is not that.
zrobotics 7 days ago |
Wow, thanks for posting that. My view of Krebs just got way more negative, I'll definitely be taking stuff I read from him with a very big grain of salt from now on.
Bengalilol 7 days ago |
I don't get how such people could be as verbose as shown in this quite precise article. And I'm not even getting into the idea that he could be a US soldier ...
red-iron-pine 7 days ago |
he's not. it's gear you can order online or get at any local surplus store. I'm not even in the US and a quick look shows it's trivial to get.
it's another layer of obfuscation. strippers telling you their name is April (but then whispering to you that their real name is Stefani)... but their real name is actually Angela, and it's just another deflection to keep off the stalkers.
same idea with IT OPSEC
cedws 7 days ago |
It's a good thing that independent cybercriminals like this are so arrogant that they make the most basic opsec mistakes and expose themselves.
victorbjorklund 7 days ago |
It is always really bad opsec that gets them. Always.
0xDEAFBEAD 7 days ago |
I noticed he seems to have posted a photo of his camouflage uniform? Pretty sure those are unique to every soldier...
bityard 7 days ago |
No, they are a very standard pattern.
andrewflnr 7 days ago |
Maybe GP was thinking about lining up specific pattern features with e.g. pockets and seams to identify a particular uniform.
0xDEAFBEAD 7 days ago |
Can you show me an image where 2 soldiers, both wearing fatigues, have an identical camouflage pattern? Every image I find on Google Images has a distinct pattern per soldier.
therealfiona 7 days ago |
It isn't a per-soldier thing. It's just pieces of fabric that are all cut differently. They aren't out there making sure one person has a specific pattern that matches every single one of their uniforms, and doesn't match someone else's.
I get the line of thinking, and I tend to agree that if they really wanted to, they could figure out a way to match the pattern of a uniform to the person if the person had published a picture of themselves wearing the article on something like Facebook.
But that's a big if. When I was in the military, I think I posted like one picture of me in camo and the resolution was so low that you probably didn't have enough detail to come to any conclusions.
0xDEAFBEAD 7 days ago |
The US has about 24K soldiers in Korea. That's not that many. Presumably they stand at attention every so often anyways. So photograph them all standing at attention and match the camo.
bitnasty 7 days ago |
You think they only have one uniform?
gosub100 7 days ago |
The floor tiles (particularly the edges) might be able to locate which building he was in which could further narrow it down
mft_ 7 days ago |
They’d better hope Rainbolt doesn’t take on the challenge…
nonameiguess 7 days ago |
They aren't issued to you. You just buy them at the post exchange. You can buy one pair or 30. You can buy new ones every three years or every three weeks. The Army has no database mapping every specific pants pattern ever sold to a particular buyer, let alone a particular wearer, as junior enlisted who aren't married live in shared barracks and are perfectly able to share clothing if they wear the same size.
bityard 7 days ago |
Some serious testicular fortitude in that guy.
If a civilian gets caught doing something illegal, they are entitled to a fair trial with a jury of their peers. If a military member gets caught doing the same thing, the court martial is a mere formality, they just more or less go straight to jail for a very long time.
brcmthrowaway 7 days ago |
Wait, you give up civil rights to be in the military? Is this outlined to people when they sign up?
LeftHandPath 7 days ago |
Yes. See the Uniform Code of Military Justice (UCMJ): https://en.wikipedia.org/wiki/Uniform_Code_of_Military_Justi...
throwup238 7 days ago |
Yes it’s made very clear in the enlistment contract (the military equivalent of an employment agreement) that they’re waiving certain rights and submit themselves to military jurisdiction for offenses covered under the UCMJ.
This topic has been litigated a lot in front of SCOTUS like with Standard Form 86 (where one waives the right to free speech for security clearance) so there’s certain language they have to contain to be valid.
gzer0 7 days ago |
Wow, TIL that if you're drafted (and forced to serve against your will), the government can subject you to military law (UCMJ), which limits many of your rights, like the right to a civilian trial by jury.
Courts have upheld this because Congress has the power to regulate the military, but it still feels like a huge shift in rights for someone forced to serve.
It feels... intuitively unjust that the government could compel service and then subject individuals to a system that limits their constitutional rights.
pas 7 days ago |
seems very logical considering the last centuries. nation state needs military, military needs people to STFU and do what needs to be done.
and unfair, considering that rich people always found ways to dodge the draft or serve in armchair positions, but taking this into account it's just even more obvious that special interests did what they usually do.